The plugin does not sanitise and escape the Downloadable File Name in the Logs, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltered_html capability is disallowed
Create/edit a Download and put the following payload in the File Name field: Download the file via the frontend (as unauthenticated for example) The XSS will be triggered when viewing the Reports > Logs Page (/wp-admin/edit.php?post_type=download&page;=edd-reports&tab;=logs)